Hi Tobias,
Please keep in mind these limitations
https://www.knot-dns.cz/docs/2.4/singlehtml/index.html#limitations
I would recommend you to stay with the old algorithm for next
two months until Knot 2.5.0 is released. This version will introduce
a better interface for DNSSEC administration, including KSK rollover!
Daniel
On 03/27/2017 02:56 PM, Tobias Brunner wrote:
Hi,
I'm in the process of changing the key algorithm from the former Knot
default of RSASHA256 to the newer default ecdsap256sha256. For this I
have just updated the DNSSEC policy and reloaded Knot. This created a
new ZSK and signed the zone with this new ZSK, but also with the old
one. Now the zone is signed with two ZSKs. How can I get rid of the old ZSK?
I already tried to set "retire" and "remove" on the old ZSK with
keymgr
to a value in the near future, but that just lead to the error message
"keys validation failed (missing active KSK or ZSK)" when issuing a
zone-sign to this particular zone. So I'm stuck now.
Additionally: How can I do a KSK rollover to also change the algorithm
from RSASHA256 to ecdsap256sha256? I couldn't find a documentation
explaining this step. I know that I need to have two KSKs until the DS
record on the parent is updated pointing to the new key, but I don't
know how to create a new KSK with Knot.
Thanks in advance for explaining the process.
Cheers,
Tobias
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users